The exploit relies on a man-in-the-middle attack of the mobile implementation of the OAuth 2.0 authorization standard. That sounds very technical, but what does it actually mean, and is your data safe?

The Single Sign On (SSO) button allows you to grant access to your account information. When you click the Facebook button, the third-party app or website looks for an access token, granting it access to your Facebook information.

If this token isn’t found you will be asked to allow the third-party access to your Facebook account. Once you have authorized this, Facebook receives a message from the third party asking for an access token.

Facebook responds with a token, granting the third-party access to the information you specified. For example, you grant access to your basic profile information, and friends list, but not your photos. The third-party receives the token and allows you to login with your Facebook credentials. Then, as long as the token doesn’t expire, it will have access to the information you authorized.

This seems like a great system. You have to remember less passwords, and get to easily login and verify your information with an account you already have. The SSO buttons are even more useful on mobile where creating new passwords, where authorizing a new account can be time consuming.

What’s the Problem?

The most recent OAuth framework — OAuth 2.0 — was released in October 2012, and was not designed for mobile apps. This has led to many app developers having to implement OAuth on their own, without guidance on how it should be done securely.

While OAuth on websites uses direct communication between the third-party and SSO provider’s servers, mobile apps do not use this direct communication method. Instead, mobile apps communicate to one another through your device.

When using OAuth on a website, Facebook delivers the access token and authentication information directly to the third-party servers. This information can then be validated before logging the user in or accessing any personal data.

The researchers found that a large percentage of Android applications were missing this validation. Instead Facebook’s servers send the access token to the Facebook app. The access token would then be delivered to the third-party app. The third-party app would then allow you to login, without verifying with Facebook’s servers that the user information was legitimate.

The attacker could login as themselves, triggering the OAuth token request. Once Facebook has authorized the token, they could insert themselves in between Facebook’s servers and the Facebook app. The attacker could then change the user id on the token to the victim’s. The username is usually publicly available information too, so there are very few barriers for the attacker. Once the user ID has been changed — but the authorization still granted — the third-party app will login under the victim’s account.

How Does This Affect You?

If an attacker is able to fool an app into believing that he is you, then the hacker gains access to all the information that you store in that service. The researchers created the table shown below which lists some of the information you may expose on different types of apps.

Some types of information are less damaging than others. You are less likely to be worried about exposing your news reading history than all your travel plans, or the ability send and receive private messages in your name. It’s a sobering reminder of the types of information we regularly entrust to third-parties — and the consequences of its misuse.

Should You Worry?

The researchers found that 41.21% of the 600 most popular apps that support SSO on the Google Play Store were vulnerable to the MitM attack. This could potentially leave billions of users around the world exposed to this type of attack. The team conducted their research on Android but they believe that it can be replicated on iOS. This would potentially leave millions of apps on the two largest mobile operating systems vulnerable to this attack.

Image Credit: Bloomicon via Shutterstock

At the time of writing, there have been no official statements from the internet Engineering Task Force (IETF) who developed the OAuth 2.0 Specifications. The researchers have declined to name the affected apps, so you should exercise caution when using SSO on mobile apps.

There is a silver lining. The researchers have already alerted Google and Facebook, and other SSO providers of the exploit. On top of that, they are working alongside the affected third-party developers to fix the problem.

James is a freelance writer passionate about making technology accessible and safe for everyone. Alongside technology writing, also interested in health, travel, music, and mental health. BEng in Mechanical Engineering from the University of Surrey. Can also be found writing about chronic illness at PoTS Jots.